acme when dns provider does not allow dns challenge
Gertjan last edited by
You are using DNSSEC, so the resources needed to zone handling explode by a factor xx.
The entire zone has to be re signed.
The zone slave DNS server(s) are signalled that "something changed".
They - the slaves, when they see fit, come back to the master name server to "sync" the entire zone - the data needed to do so is also far - far more as a non-DNSSEC zone.
Keep in mind : those name servers that are "offered" to you when you rent a domain from a registrar are not blazingly fast. They are protected to deal with all the zone errors that are introduced these days ... they don't sync "as you want" - some take minutes or hours to do so.
The issue is : acme pfSense uses scripts - to update the remote dns server by whatever API the registrar made available. With this script - and settings to ID, the master DNS can be updated.
When done, the DNS-Sleep is needed, because, when Letenscrypt start to test, it could test the master DNS of your zone, or the slave (or one of the slaves). If they - the slaves - didn't sync (XFER'ed) yet, the cert request goes KO.
To make a long story short : set DNS-Sleep to 300 seconds, or more.
Of course, this story start to apply when all your settings are correct.
I don't see how the doubling could take place, unless I can't see the wood for all the trees..
No trees, no wood.
It's "acme logs" ..... so : look at it - they are there to show the errors ^^
(one should only ignore logs when all is fine )
Proceed like this :
Locate acme the log file for the concerned domain.
Truncate it (make it zero byte size).
Do what needs to be done for renewing.cert.
Re open the log file, and admire the result.
Btw : be careful : 5 identical renewals for the same domain => your out for the week.
Great.. your all set then, cert and dnssec ;)
Been like a year or so sense set that up I think... I know I had done a wild card at one point, and was reversing plex through cloudflare at one point. But stopped doing that because some users were having issues.. And didn't have time to troubleshoot it, and I could not reproduce the problem on my end.. So I just turned it off and have not had time to go back to doing it that way.
But the ombi instance I have running for them to request stuff is still using acme cert. Which a few of them use and have not reported any issues... I get requests from it now and then for movies ;)
I was using the cloudflare as reverse proxy for some layer of protection for plex... But now I just changed the outside port and locked it to only NA IPs via pfblocker.. I am happy with the setup compared to just 32400 open to the planet ;)
edit: @Gertjan he moved his NS to cloudflare, so none of the slow registrars NS would be in play here.
tn1rpi3 last edited by tn1rpi3
@johnpoz Yeah, DNSSEC + certificate are in place now.
Big thanks to all who gave me their input; Special thanks again to you!
Next it's verifying my HAProxy settings on pfsense. -
The sites have been sitting on LXC instances for a while now.
Hope I can put them live in the near future.
I've played with plex in the past, but never used ombi. I went with Kodi for a couple of years until I mothballed it again. Sounds interesting, though.
I've hosted 12bfree.com before, but not in this constellation.
Previously, the cert renewal was a simple HTML 01 challenge with IP-Cop set to port-forwarding.
Additional sites were configured to show as subfolders.
That constellation was a lot quicker to set up..
tn1rpi3 last edited by
I see how speed may become an issue here.
set DNS-Sleep to 300 seconds, or more.
I'll certainly remember that setting when needed.